This entry was posted on Sunday, May 22nd, 2011 at 7:14 pm and is filed under Google, Mozilla, Security. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

11 Responses to “A Fistful of Pixels”

Yes, it could make plain old-school phishing more effective, but I don't think that it's a "lust for shrinking down the browser" that's the problem (nor do I think that "lust for shrinking down the browser" is a fair description of what's happening.)

URLs are mostly meaningless to most people. Without specific instructions to actually read and compare the URL to something authoritative, URLs don't protect most people from phishing. Sure, it works for you and me, but we're the least susceptible already so that's not a big win.

The site identity block that Mozilla has been working on for a few years now is the way out of this problem. We should make sure that we can surface that at the right times and not worry about the unique resource identifier or other geeky text strings that mean next to nothing to next to nearly all of the people on the Web today.

If "Larry", or some future iteration of him that was smarter about pro-actively warning users, were available from the tab itself, then getting rid of the easily confusing URL is actually a good thing.

@Asa Dotzler
Cart before Horse; give us the site identity block and let us evaluate it before disappearing the only plain UI tool left for individuals to verify web navigation. All warning systems have failed so far, so pardon the skepiticism about this airware.
And that those who are alert to subversion of the web find the address bar a help should be deprived of it because it's "not a big win" seems a tad dismissive. Then again, if all Firefox wants is to look after Important-But_Inattentive Mobile Users In A Hurry, then say it now and I can get moving on a push for a fork of Fx-with-UI-feedback.
See, the problem with one-web-fits-all is that while the web has indeed been mostly taken over by commerce, and all power to you and your mates in your work to make users meld seamlessly with services, some of us are forced to access government and financial organisations through web interfaces only and know that those organisations are mostly years behind your bleeding edge in their attention to users' security.
So, in sort of the same way as ISPs with any sense are getting up and running towards IPv6 with dual stack addressing, it's really only fair that Firefox should continue to provide dual old-style UI feedback/new style fingerpoken ideograms ... until us dinosaurs who can read and compare text die out.
Fx participant here, since Firebird.
NS participant since V1.0
The complete, entire pressure for the development of Firefox was to get back diverse user control from MS of what web pages were delivering. NoScript took up the baton as even Firefox lost sight of the way that the web and browsers had become the battlefield for malware, and I hope there's enough still under the hood to allow us to support anybody else who wants to step up to the plate and continue to allow that diversity some agency.

The site identity block seem to be getting a lot of mentions lately, but it's obsolete for the vast majority of the net and especially so in a conversation where we're discussing the removal of the url bar. A prime example is this very site. Click the site identity block and what do you get? Nothing. How is that helpful to anyone? Saying that URLs are obsolete to the average Joseph/Josefine is all well and done, but surely if that is such a case, the emphasis should be on educating the average user of it's importance and role?

Grazie for the plug, Signore. I repeatedly ranted against the jazz-it-up look of Fx3 (The Ugly) vs. the clean, simple lines of Fx2 (The Good), and was derided for it. Now, Fx4 (The Bad) goes too far in the other direction, with gray-on-gray icons on top, and no status bar on the bottom for icons of add-ons, their status, and easy use of same. Getting rid of the URL bar is idiotic, after all the time and trouble spent getting color codes to show standard or EV SSL/TLS, or even just the yellow icon.

Does the attack work when a non-secure-site tab is "morphed into" a secured one?

One of the contributing factors is an ADD-lebrained generation that cannot possibly bear life with fewer than half a dozen tabs open. As a very wise man wrote,

Anything that requires a username and password is, by definition, sensitive to some degree. This Best Practice would seem to defeat the tab-morphing attack completely. In the meantime, it's a good idea to allow users leeway to configure the toolbars, etc., that will or will not be visible, but a very bad idea to strip out everything at the factory. So yes, I'm with you, amico: We still need A Few Pixels More.

by the way, that Best Practice quote is found by clicking the link in my sig, which takes you to my alter ego, The Man With No Name But Who Posts Under One. Post #28160. (I think Bad Behavior blocked an attempt to put the entire PHP post address in the Website block. And I'm going blind trying to read the **** recaptcha nonsense words. There must be a better way.)

@Sergio Leone:
Hmm...maybe the suggested best practice of using a separate browser session for sensitive activities is a use case for Internet Explorer? After all, it should only be let loose on highly-trusted sites anyway! Browse in Firefox, then close it (and let it save your session), open IE, follow bookmarks to your bank/webmail/etc (or configure your homepage to open them automatically), close IE, back to Firefox for browsing. Methinks it has potential.

Of course, IE doesn't have to be the trusted-sites-only browser; anything could be. But it's available on Windows machines without installation, and for better or worse, in terms of proper website rendering, it has the most developer support.

Thanks, but I wouldn't use IE to e-mail my grandmother on her anniversary, much less do online banking with it.

"for better or worse, in terms of proper website rendering, it has the most developer support."

For worse, methinks. My sites render fine in Fx. What if my bank is the victim of, say, an XSS attack or a clickjack attack? And did you know that there are a few financial sites that won't work unless you allow doubleclick or amazon or whatever? Possibly in iFrame. Facilitates such attacks.

I deleted IE from this machine a couple of years ago, along with all support files that weren't needed by the OS itself.

The "25% slow down" you read about is referred just to the browser *startup* time (i.e. the time the browser takes to start when you summon it first time) and, even so, the measurement has been widely criticized for its methodological flaws.
However, if you take it for good, this just means that NoScript's initialization adds about 1/10 of second to the browser time to start. Is this something you can live with? On the other hand, by preventing lots of useless content from being loaded and executed, NoScript sensibly reduces page load times, CPU burden and memory consumption. What's more important to you, performance-wise?
At any rate, the startup time is being optimized as well, but don't forget that taken alone it is a misleading metric.